Dr. Skin hired several people to improve the marketing of his practice. In order to make things simple, he provided them with all of his patients' records to allow them easy access to patient demographic information. Dr. Skin is assured by colleagues that although the involved activity may represent a HIPAA violation, no penalties have been assessed to small practices such as his. Is this true?
Dr. Skin is assured by his colleagues that although the involved activity may represent a HIPAA violation, no penalties have been assessed to small practices such as his. Is this true?
Case in point
OCR has the authority to conduct investigations of complaints alleging violations of the Privacy and Security Rules by covered entities, and a covered entity must cooperate with OCR's investigation. Physicians in private practice are under OCR jurisdiction.
On Feb. 19, 2009, OCR notified the surgeons of its initiation of an investigation into a complaint alleging that they had impermissibly disclosed electronic protected health information (ePHI) by making it publicly available on the Internet. The complaint alleged that a) from April 14, 2003 to Oct. 21, 2009, the surgeons did not provide and document training of each workforce member on required policies and procedures with respect to PHI as necessary and appropriate for each employee, and b) from Sept. 1, 2005 until Nov. 1, 2009, the covered entity failed to have in place appropriate and reasonable administrative and technical safeguards to protect the privacy of PHI.
This violation was evidenced by the following: From July 3, 2007 until Feb. 6, 2009, the physicians posted more than 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar; from Sept. 1, 2005 until Nov. 1, 2009, they transmitted daily ePHI from an office-based email account to the employees' personal Internet-based email accounts; from Sept. 1, 2005 until Nov. 30, 2009, the physicians did not implement the required administrative and technical security safeguards for the protection of ePHI; and from Sept. 1, 2005 until Dec. 3, 2009, the physicians failed to obtain satisfactory assurances in their business associates agreements assuring that these entities would appropriately safeguard the ePHI received from the covered entity.
Because of these violations, the physicians were required to pay OCR an amount of $100,000 and institute a Corrective Action Plan (CAP). The CAP required the involved physicians to implement policies and procedures that at a minimum would include the following: An accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of PHI when it is created, received, maintained, used or transmitted by the physicians; a risk management plan that implements security measures sufficient to reduce risks and vulnerabilities to ePHI identified by the risk assessment to a reasonable and appropriate level; identification of a security official who is responsible for the development and implementation of the policies and procedures; satisfactory assurances that each business associate that receives, maintains, stores or transmits ePHI on behalf of the covered entity and has access to their ePHI will appropriately safeguard that PHI; technical safeguards for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access, including, but not limited to, remote access to their electronic information systems; technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network, including a measure to encrypt or otherwise adequately safeguard ePHI transmitted to or from or stored on a portable device, regardless of whether the portable device is owned by the covered entity or a workforce member; and training of all workforce members of the office including management, who use or disclose PHI on the covered entity's Privacy and Security Rule policies and procedures, as necessary and appropriate to carry out their functions within the covered entity.
It is obvious that Dr. Skin should be concerned. OCR has begun to file lawsuits against private practitioners. Dr. Skin and all dermatologists need to be certain their offices are fully HIPAA compliant.
David Goldberg, M.D., J.D., is director of Skin Laser & Surgery Specialists of New York and New Jersey; director of laser research, Mount Sinai School of Medicine; and adjunct professor of law, Fordham Law School.